>From f3ea702a3a7cb0f83bc95d7af61109036ddcc577 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 4 Aug 2014 13:36:42 +0200 Subject: [PATCH] PAC: krb5_pac_verify failures should not be fatal As noted in the MIT KRB5 documentation, some servers send PAC with no checksum, therefire the PAC validation should not be fatal, instead, we should treat a failure from krb5_pac_verify as if there was no PAC at all. Reported on sssd-devel by Thomas Sondergaard --- src/sss_client/sssd_pac.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/sss_client/sssd_pac.c b/src/sss_client/sssd_pac.c index 469758a65c1ec3502becb48175753a965a48773c..d1790df50465772e1f310f84e7e6b0e364192720 100644 --- a/src/sss_client/sssd_pac.c +++ b/src/sss_client/sssd_pac.c @@ -151,7 +151,16 @@ static krb5_error_code sssdpac_verify(krb5_context kcontext, req->ticket->enc_part2->times.authtime, req->ticket->enc_part2->client, key, NULL); if (kerr != 0) { - return EINVAL; + /* The krb5 documentation says: + * A checksum mismatch can occur if the PAC was copied from a + * cross-realm TGT by an ignorant KDC; also Apple Mac OS X Server + * Open Directory (as of 10.6) generates PACs with no server checksum + * at all. One should consider not failing the whole authentication + * because of this reason, but, instead, treating the ticket as + * if it did not contain a PAC or marking the PAC information as + * non-verified. + */ + return 0; } sss_data.len = sssdctx->data.length; -- 1.9.3